Feeds

Will bloggers get the blame for DoH mess?

Criminal charges for who?

Choosing a cloud hosting partner with confidence

Opinion Health Secretary Patricia Hewitt said the mess made of online applications for doctors could lead to criminal charges. But did she mean the people responsible for such a shoddy system or did she mean the bloggers who brought the problems to light are likely to be charged?

A touch surprising to find the Secretary of State for Health, Patricia Hewitt, stating the truth in a written ministerial statement to the Commons on Tuesday:

"Because the investigation has made it clear that criminal offences may have been committed, the MWR analysis and report have been given to the police."

That "may" is a little mild, as it is quite clear that criminal offences have been committed during the wonderful little saga of the medical training application service (MTAS) and its computer system. Over and above the usual political porkies that is, such as this line from the statement:

"There had been two security breaches of the medical training application service (MTAS) that arose on 25 and 26 April."

There was no security breach that arose on 26 April. There was one that was revealed on that date, yes, but the breach went back to the beginnings of the system and was inherent in the design.

The breach itself was one that would ashame the most neophyte of script kiddies. There was no attempt to create a login session when someone entered the system, nor was there any checking of the IP of the machine being used to prevent session hijacking.

As David Gillies has pointed out: "There is NO WAY that this was anything other than gross incompetence. It is inconceivable that MTAS had a working login session mechanism that was then replaced by the brain-dead version it had when the security breaches came to light."

He then goes on to say that this is a level of stupidity likely actionable under the Data Protection Act. "Implementers of systems containing personal information have a statutory duty, I believe, to ensure only authorised persons have access to that data."

So there's our first criminal offence, among those who planned, built, and implemented this system.

Then there are those who brought the problem to light, such as the NHSBlogDoctor. Distressed at being informed of such a gaping loophole in the system he went to have a look for himself. This is a criminal offence - hacking a computer system. Unable to believe what he saw, he asked a few trusties to have a look themselves - another offence, incitement to hack a computer system.

Having committed these offences, what did the Good Doctor do then? He informed the Department of Health and the system was taken down within a few minutes, thus preventing said department from continuing in their own breach of the law.

Only the excessively cynical would believe that Ms Hewitt was referring only to the second set of breaches, rather than the first, or that the police will concentrate on the whistleblower(s) rather than the original problem.

The realists among us though, will note that there is still something of a problem. When alerted to a possible breach of the law by the authorities, it would seem that investigating such breach is in itself a criminal offence. That's certainly the way to bring about some accountability to the system don't you think? A way of preventing the more obvious lunacies, of improving the system?

But, of course, this is paranoia. No one is going to interpret the law that way, are they? In a world where adding ../../../ to a URL is worth £400 plus costs and the loss of your job and career. No, of course not, it's just paranoia. ®

Tim Worstall is a freelance and blogs at www.timworstall.com.

Intelligent flash storage arrays

More from The Register

next story
WHY did Sunday Mirror stoop to slurping selfies for smut sting?
Tabloid splashes, MP resigns - but there's a BIG copyright issue here
Spies, avert eyes! Tim Berners-Lee demands a UK digital bill of rights
Lobbies tetchy MPs 'to end indiscriminate online surveillance'
How the FLAC do I tell MP3s from lossless audio?
Can you hear the difference? Can anyone?
Inequality increasing? BOLLOCKS! You heard me: 'Screw the 1%'
There's morality and then there's economics ...
Google hits back at 'Dear Rupert' over search dominance claims
Choc Factory sniffs: 'We're not pirate-lovers - also, you publish The Sun'
EU to accuse Ireland of giving Apple an overly peachy tax deal – report
Probe expected to say single-digit rate was unlawful
While you queued for an iPhone 6, Apple's Cook sold shares worth $35m
Right before the stock took a 3.8% dive amid bent and broken mobe drama
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.